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Abstract : The main novelty of this paper is to con- 
sider an extension of the Calculus of Constructions 
where predicates can be defined with a general form of 
rewrite rules. 

We prove the strong normalization of the reduction 
relation generated by the (3-rule and the user-defined 
rules under some general syntactic conditions includ- 
ing confluence. 

As examples, we show that two important systems 
satisfy these conditions : a sub-system of the Calculus 
of Inductive Constructions which is the basis of the 
proof assistant Coq, and the Natural Deduction Modulo 
a large class of equational theories. 

1 Introduction 

This work aims at defining an expressive language al- 
lowing to specify and prove mathematical properties 
in which functions and predicates can be defined by 
rewrite rules, hence enabling the automatic proof of 
equational problems. 

The Calculus of Constructions. The quest for 
such a language started with Girard's system F [19] 
on one hand and Dc Bruijn's Automath project [18] on 
the other hand. Later, Coquand and Huet combined 
both calculi into the Calculus of Constructions (CC) 
[10]. As in system F, in CC, data structures are defined 
by using an impredicative encoding which is difficult 
to use in practice. Following Martin-Lof's theory of 
types [24], Coquand and Paulin-Mohring defined an 
extension of CC with inductive types and their asso- 
ciated induction principles as first-class objects : the 
Calculus of Inductive Constructions (CIC) [26] which 
is the basis of the proof-assistant Coq [17]. 

Reasoning Modulo. Defining functions or predi- 
cates by recursion is not always convenient. More- 
over, with such definitions, equational reasoning is un- 
easy and leads to very large proof terms. Yet, for 



decidable theories, equational proofs need not to be 
kept in proof terms. This idea that proving is not 
only reasoning (undecidable) but also computing (de- 
cidable) has been recently formalized in a general way 
by Dowek, Hardin and Kirchner with the Natural De- 
duction Modulo (NDM) for first-order logic [12]. 

Object-level rewriting. In CC, the first exten- 
sion by a general notion of rewriting is the Ai?-cube 
of Barbanera, Fernandez and Geuvers [1]. Their 
work extends the works of Breazu-Tannen and Gal- 
lier [8] and Jouannaud and Okada [21] on the com- 
bination of typed A-calculi with rewriting. The no- 
tion of rewriting considered in [21, 1] is not restricted 
to first-order rewriting, but also includes higher-order 
rewriting following Jouannaud and Okada's General 
Schema [21], a generalization of the primitive recur- 
sive definition schema. This schema has been reformu- 
lated and enhanced so as to deal with definitions on 
strictly-positive inductive types [5] and with higher- 
order pattern-matching [3]. 

Predicate-level rewriting. The notion of rewriting 
considered in [1] is restricted to the object-level while, 
in CIC or NDM, it is possible to define predicates by 
recursion or by rewriting respectively. Recursion at 
the predicate-level is called "strong elimination" in [26] 
and has been shown consistent by Werner [31]. 

Our contributions. The main contribution of our 
work is a strong normalization result for the Calcu- 
lus of Constructions extended with, at the predicate- 
level, user-defined rewrite rules satisfying some general 
admissibility conditions. As examples, we show that 
these conditions are satisfied by a sub-system of CIC 
with strong elimination [26] and the Natural Deduc- 
tion Modulo [13] a large class of equational theories. 

So, our work can be used as a foundation for an ex- 
tension of a proof assistant like Coq [17] where users 
could define functions and predicates by rewrite rules. 
Checking the admissibility conditions or the convert- 



ibility of two expressions may require the use of exter- 
nal specialized tools like CiME [16] or ELAN [15]. 

Outline of the paper. In Section 2, we introduce 
the Calculus of Algebraic Constructions and our no- 
tations. In Section 3, we present our general syntactic 
conditions. In Section 4, we apply our result to CIC 
and NDM. In Section 5, we summarize the main con- 
tributions of our work and, in Section 6, we give future 
directions of work. Detailed proofs can be found in [4] . 

2 The Calculus of Algebraic 
Constructions (CAC) 

2.1 Syntax and notations 

We assume the reader familiar with the basics of 
rewriting [11] and typed A-calculus [2]. 

Sorts and symbols. Throughout the paper, we let 
S = {*, □} be the set of sorts where * denotes the 
impredicative universe of propositions and □ a pred- 
icative universe containing *. We also assume given a 
family T = (J^)*>^ of sets of symbols and a family 
X = (X s ) seS of infinite sets of variables. A symbol 
/ £ is said to be of arity ctf — n and sort s. T s ', 
Tni F an d X respectively denote the set of symbols 
of sort s, the set of symbols of arity n, the set of all 
symbols and the set of all variables. 

Terms. The terms of the corresponding CAC are 
given by the following syntax : 

t::=s\x \ /(*) | (x : t)t \ [x : t)t | tt 

where s £ 5, x £ X and / is applied to a vector t of n 
terms if / £ T n . [x : U]t is the abstraction and (x : U)V 
is the product. A term is algebraic if it is a variable 
or of the form f(t) with each U algebraic. 

Notations. As usual, we consider terms up to a- 
conversion. We denote by FV(t) the set of free vari- 
ables of t, by FV s (t) the set FV(t) n X s , by t{x ^ u} 
the term obtained by substituting in t every free oc- 
currence of x by u, by dom(9) the domain of the sub- 
stitution 9, by dom s (8) the set dom(9)C\X s , by Pos(t) 
the set of positions in t (words on the alphabet of pos- 
itive integers), by t\ p the subterm of t at position p, 
by t[u] p the term obtained by replacing t\ p by u in t, 
and by Pos(f,t) and Pos(x,t) the sets of positions in 
t where / occurs and x freely occurs respectively. As 
usual, we write T — > U for a product (x :T)U where 
x £ FV{U). 

Rewriting. We assume given a set TZ of rewrite rules 
defining the symbols in T. The rules we consider are 



pairs I — ► r made of two terms I and r such that / 
is an algebraic term of the form f(l) and FV(r) C 
FV(l). They induce a rewrite relation — ^ on terms 
defined by t -^-jz t' iff there are p £ Pos(t), I — > r £ 
TZ and a substitution a such that t\ p = la and t' = 
t[ra] p (matching is first-order). So, TZ can be seen as 
a particular case of Combinatory Reduction System 
(CRS) [23] (translate [x:T]u into A(T, [x]u) and (x : 
T)U into II(T, [x][/)) for which higher-order pattern- 
matching is not necessary. 

Reduction. The reduction relation of the calculus 
is — > = -^fi U — where — >^ is defined as usual by 
[x:T]u t —*p u{x i ► t}. We denote by — ►* its reflexive 
and transitive closure, by ^* its symmetric, reflexive 
and transitive closure, and by t I* u the fact that t 
and u have a common reduct. 

2.2 Typing 

Types of symbols. We assume given a function r 
which, to each symbol /, associates a term r/, called 
its type, of the form (x : T)U with |x| = a/. In 
contrast with our own previous work [5] or the work 
of Barbanera, Fernandez and Geuvers [1], symbols can 
have polymorphic as well as dependent types, as it is 
the case in CIC. 

Typing. An environment V is an ordered list of pairs 
x, :Ti saying that Xi is of type 7*. The typing relation 
of the calculus, h, is defined by the rules of Figure 1 
(where s, s' £ S). 

An environment is valid if there is a term typable in 
it. The condition r h v : V in the (symb) rule insures 
that T is valid in the case where n = 0. 

Substitutions. Given two valid environments T and 
A, a substitution is a well-typed substitution from 
T to A, written 9 : V -> A, if, for all x £ dom(r), 
A h x9 : xT9, where xr denotes the type associated 
to x in T. With such a substitution, if T h t : T then 
Ahifl: TO. 

Logical consistency. As usual, the logical consis- 
tency of such a system is proved in three steps. 

First, we must make sure that the reduction relation 
is correct w.r.t. the typing relation : if T h t : T and 
t — > t' then r h t 1 : T. This property, called subject 
reduction , is not easy to prove for extensions of CC 
[31, 1]. In the following subsection, we give sufficient 
conditions for it. 

The second step is to prove that the reduction rela- 
tion — * is weakly or strongly normalizing, hence that 
every well-typed term has a normal form. Together 
with the confluence, this implies the decidability of the 
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Figure 1: Typing rules 



(ax) 

(symb) 
(var) 

(weak) 

(prod) 
(abs) 
(app) 

(conv) 



h * : □ 



fG^,r f = (x :f)U, 1 = {x 

h T f : s r h v : V Mi, V h U : Trf 

r h /(*) : C/ 7 

r h T : s i€^ s \ rfom(r) 
r,a;:r h x : T 

rht:T r h £/ : s dom{Y) 
T,x:U ~t : T 

ThT:s T,x:ThU:s' 
r h (x:T)U : s> 

T,x:T^u:U Th(x:T)U:s 
rh [x:T]u: (x:T)U 

Tht:(x:U)V T\-u:U 
r h tu : V{x i > u} 

r h f : T T |* T' r h f : s' 
r h i : T 



typing relation which is essential in proof assistants. 
In this paper, we will study the strong normalization 
property. 

The third step is to make sure that there is no nor- 
mal proof of _L = (P :-k)P in the empty environment. 
Indeed, if _L is provable then any proposition P is prov- 
able. We will not address this problem here. 

2.3 Subject reduction 

Proving subject reduction for —>p requires the follow- 
ing property [4] : 



(x:U)V <->* (x:U')V 



U ^* U' A V ^* V 



It is easy to see that this property is satisfied when 
— > is confluent, an assumption which is part of our 
admissibility conditions described in the next section. 

For the idea present in all previous works is 

to require that, for each rule I — > r, there is an en- 
vironment r and a type T such that r h I : T and 
r h r : T. However, this approach has an important 
drawback : in presence of dependent or polymorphic 
types, it leads to non-lcft-linear rules. 

For example, consider the type list : * — ► * of poly- 
morphic lists built from nil : (A:*)list(A) and cons : 



(A : -k)A — ► list(A) — > list(A), and the concatenation 
function app : (A:*)list(A) -> list(A) list(A). To 
fulfill the previous condition, we must define app as 
follows : 



app(A,nil(A),£) 
app(A, cons(A,x, £),£') 



cons(A, x, app(A, £, £')) 



This has two important consequences. The first one 
is that rewriting is slowed down because of numer- 
ous equality tests. The second one is that it may be- 
come much more difficult to prove the confluence of 
the rewrite relation and of its combination with 

We are going to see that we can take the following 
left-linear definition without loosing the subject reduc- 
tion property : 

app(A,nil(A'),£) £ 
app(A,cons(A',x, £),£') — ► cons(A,x,app(A, £,£')) 

Let I = app{A, cons{A' ,x, £),£'), r — cons{A,x, 
app(A, £,£')), T be an environment and o a substitu- 
tion such that r h in : list(Aa). We must prove that 
r h ra : list(Aa). For r h la : list(Aa), we must have 
a derivation like : 



(symb) 



r h A' a : * Y\-xa:A'a T h £a : list(A'a) 



(conv) 



T h cons(A'a,xa,£a) : list(A'a) 
list(A'a) i* list(Aa) T h list(Aa) : * 



(symb) 



r h cons(A'a,x<j,£a) : list(Aa) 
r h Aa : * Th£'a : list(Aa) 



r h la : list(Aa) 



Therefore, A 1 a \* Aa and we can derive r h xa : 
Aa, r h £a : list(Aa) and : 



(symb) 



r h Aa : * r h £a : list(Aa) £' a : list(Aa) 



(symb) 



T h app(Aa, £a, £'a) : list(Aa) 
r h Aa : * T\-xa : Aa 

r h ra : list(Aa) 



The point is that, although I is not typable, from any 
typable instance la of I, we can deduce that A' a j* Aa. 
By this way, we come to the following conditions : 

Definition 1 (Type-preserving rewrite rule) 

A rewrite rule I — > r is type-preserving if there is 
an environment T and a substitution p such that, if 
I = /(f), T f = (x: f)U and 7 = {x ^ T} then : 

(51) dom(p) C FV(l) \ dom(T), 

(52) rhip: C/ 7 P, 

(53) rhr: J7 7 p, 

(54) for any substitution a, environment A and type 
T, if A h la : T then a : T -> A, 
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(S5) for any substitution a, environment A and type 
T, if A h la : T then, for all x E dom(p), xa j* 
xpa. 

In our example, it suffices to take T = A:*,x:A,£: 
list(A),£':list(A) and p = {A' A}. 

One may wonder how to check these conditions. In 
practice, the symbols are incrementally defined. So, 
assume that we have a confluent and strongly normal- 
izing CAC built over T and 1Z and that we want to add 
a new symbol g. Then, given T and p, it is decidable 
to check (SI) to (S3) in the CAC built over T U {g} 
and 1Z since this system is confluent and strongly nor- 
malizing. In [4], we give a simple condition ensuring 

(54) (r simply needs to be well chosen). The condition 

(55) is the most difficult to check and may require the 
confluence of — 

3 Admissibility conditions 

3.1 Inductive structure 

Until now, we made few assumptions on symbols or 
rewrite rules. In particular, we have no notion of in- 
ductive type. Yet, the structure of inductive types 
plays a key role in strong normalization proofs [25]. 
On the other hand, we want rewriting to be as general 
as possible by allowing matching on defined symbols 
and equations among constructors. This is why, in 
the following, we introduce an extended notion of con- 
structor and a notion of inductive structure which gen- 
eralize usual definitions of inductive types [26]. Note 
that, in contrast with our previous work [5], we allow 
inductive types to be polymorphic and dependent, as 
it is the case in CIC. 

Definition 2 (Constructors) For Q C T, let IZg be 

the set of rules defining the symbols in Q, that is, the 
rules whose left-hand side is headed by a symbol in Q. 
The set of free symbols is CT = {/ G T \ Tl{f} = 0}- 
The set of defined symbols is T>T = T\CT . The set of 
constructors of a free predicate symbol C is Co(C') = 
{f G T* | Tf = (y:U)C(v) and \y\ = a f }. 

The constructors of C not only include the construc- 
tors in the usual sense but every defined symbol whose 
output type is C. For example, the symbols : int, 
s : int — > int, p : int — » int, + : int — > int — » int and 
x : int — > int — > int defined by the rules s(p(x)) — ► x, 
p(s(x)) — > x and others for + and x are all construc- 
tors of the type int of integers. 

Definition 3 (Inductive structure) An inductive 
structure is given by : 



• a quasi-ordering on T , called precedence , whose 
strict part, >r, is well-founded, 

• for each C G CT D such that tc = (x : T)*, a set 
Ind(C) C{ie {l,..,ac} | Xi e X D } of inductive 
positions, 

• for each constructor c, a set Acc(c) C {1, ..,a c } of 
accessible positions. 

The accessible positions allow the user to describe 
which patterns can be used for defining functions, and 
the inductive positions allow to describe the arguments 
on which the free predicate symbols should be mono- 
tone. This allows us to generalize the notion of posi- 
tivity used in CIC. 

Definition 4 (Positive and negative positions) 

The sets of positive positions Pos + (T) and negative 
positions Pos~(T) of a term T arc mutually defined 
by induction on T as follows : 

- Pos + (s) = Pos+{F(f)) = Pos + (X) = {e}, 

- Pos (s) = Pos ■ (F(Ff) = Pos (X) = 0, 

- Pos 5 {{x:V)W) = l.Pos- 5 {V)U2.Pos s {W), 

- Pos s \[x:V]W) = l.Pos(V) U 2.Pos s {W), 

- Pos 5 (Vu) = l.Pos s {V) U 2.Pos(u), 

- Pos 5 (VU) = l.Pos s (V), 

- Pos+(C(t)) = {e} U U {i.Pos+(U) | i e Ind(C)}, 

- Pos ~(C(t)) = \J{i.Po8-(U) | i € Ind(C)}, 
where S G {-, +}, — h = — , = +. 

For example, in (x : A)B, B occurs positively while 
A occurs negatively. Now, with the type list of 
polymorphic lists, A occurs positively in list(A) iff 
Ind(list) = {1}. 

Definition 5 (Admissible inductive structure) 

An inductive structure is admissible if, for all 
C e CT D with t c = (x : T)* : 

(11) Mi e Ind{C), v, e X a , 

and for all c with t c = (y : U)C{v) and j G ^4cc(c) : 

(12) Vi £ Ind(C), Pos{v u Uj) C Pos + (Uj), 

(13) VL> G C T D ,D= r C^Pos(D, XJ 3 ) C Pos + {Uj ) , 

(14) VD G CF D , D >jrC^ Pos{D, Uj) = 0, 

(15) VF e VT a ,Pos{F, Uj) = 0, 

(16) VleFy D ([/ 3 ),3^e{i,.,a c },. lx =l. 

For example, with the type list of polymorphic lists, 
Ind(list) = {I}, Acc(nil) = {1} and Acc(cons) = 
{1,2,3} is an admissible inductive structure. If we 
add the type tree : * and the constructor node : 
list(tree) — > tree with Acc(node) = {1}, we still have 
an admissible structure. 

The condition (16) means that the predicate- 
arguments of a constructor must be parameters of the 
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type they define. One can find a similar condition in 
the work of Walukicwicz [30] (called "★-dependency" ) 
and in the work of Stefanova [27] (called "safeness"). 

On the other hand, there is no such explicit restric- 
tion in CIC. But the elimination scheme is typed in 
such a way that no very interesting function can be 
defined on a type not satisfying (16). For example, 
consider the type of heterogeneous non-empty lists (we 
use the CIC syntax here) listh = Ind(X : *){Ci|C2} 
where d = (A :*){x: A)X and C 2 = {A : *)(x : A) 
X — » X. The typing rule for the non dependent elim- 
ination schema (Nodep*,*) is : 

r h l : listh r h Q : * Vi, T h /i : C t {listh 1 Q} 
T^Elim{t,Q){h\f 2 }:Q 

where Ci{listh,Q} = (A : *)(x : A)Q and 
C 2 {Hsth, Q} = (A : *)(x : A)listh -> Q -> Q. Since 
Q, fi and / 2 must be typable in T, the result of /i 
and f 2 cannot depend on A or on x. This means that 
it is possible to compute the length of such a list but 
not to use an element of the list. 

Definition 6 (Primitive, basic and strictly pos- 
itive predicates) A free predicate symbol C is : 

• primitive if, for all D —yr C, for all constructor d of 
type Td — (y : U)D(w) and for all j G Acc(d), Uj is 
cither of the form E{t) with E D and E basic, 
or of the form E(i) with E =jf D. 

• basic if, for all D =jr C, for all constructor d of 
type Td = (y : U)D(w) and for all j e Acc(d), if 
E =p D occurs in Uj then Uj is of the form E(t). 

• strictly positive if, for all D =jr C, for all con- 
structor d of type Td = (y : U)D(w) and for all 
j 6 Acc(d), if E =jr D occurs in Uj then Uj is of 
the form (z : V)E(t) and no occurrence of D' =r D 
occurs in V. 

For example, the type list of polymorphic lists is 
basic but not primitive. The type listint of lists of 
integers with the constructors nilint : listint and 
consint : int — ► listint — > listint is primitive. And the 
type ord of Brouwer's ordinals with the constructors 
: ord, s : ord — ► ord and lim : (ncti — > ord) — ► ord is 
strictly positive. 

Although we do not explicitly forbid to have non- 
strictly positive predicate symbols, the admissibility 
conditions we are going to describe in the following 
subsections will not enable us to define functions on 
such a predicate. The same restriction applies on CIC 
while the system of Walukiewicz [30] is restricted to 
basic predicates and the Ai?-cube [1] or NDM [13] are 
restricted to primitive and non-dependent predicates. 
However, in the following, for lack of space, we will 
restrict our attention to basic predicates. 



3.2 General Schema 

The constructors of primitive predicates (remember 
that they include all symbols whose output type is a 
primitive predicate), defined by usual first-order rules, 
are easily shown to be strongly normalizing since the 
combination of first-order rewriting with — ^ preserves 
strong normalization [8]. 

On the other hand, in the presence of higher-order 
rules, few techniques are known : 

• Van de Pol [28] extended to the higher-order case 
the use of strictly monotone interpretations . This 
technique is very powerful but difficult to use in 
practice and has not been studied yet in type sys- 
tems richer than the simply-typed A-calculus. 

• Jouannaud and Okada [21] defined a syntactic crite- 
rion, the General Schema, which extends primitive 
recursive definitions. This schema has been refor- 
mulated and enhanced to deal with definitions on 
strictly-positive types [6], to higher-order pattern- 
matching [3] and to richer type systems with object- 
level rewriting [1, 5]. 

• Jouannaud and Rubio [22] extended to the higher- 
order case the use of Dershowitz's recursive path 
ordering. The obtained ordering can be seen as a 
recursive version of the General Schema and has 
been extended by Walukicwicz [30] to the Calculus 
of Constructions with object-level rewriting. 

Here, we present an extension of the General Schema 
defined in [5] to deal with type-level rewriting, the 
main novelty of our paper. 

The General Schema is based on Tait and Girard's 
computability predicate technique [19] for proving the 
strong normalization of the simply-typed A-calculus 
and system F. This technique consists in interpret- 
ing each type T by a set [T] of strongly normalizable 
terms, called computable , and in proving that t £ [T] 
whenever r h t : T. 

The idea of the General Schema is then to define, 
from a left-hand side of rule f(l), a set of right-hand 
sides r that are computable whenever the Zj's are com- 
putable. This set is built from the variables of the 
left-hand side, called accessible , that are computable 
whenever the ij's are computable, and is then closed 
by computability-preserving operations. 

For the sake of simplicity, two sequences of argu- 
ments of a symbol / will be compared in a lexico- 
graphic manner. But it is possible to do these com- 
parisons in a multiset manner or with a simple combi- 
nation of lexicographic and multiset comparisons (see 
[4] for details). 
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Definition 7 (Accessibility) A pair (it, U) is ac- 
cessible in a pair (t,T), written (t,T) t>i (u,U), if 
(t,T) = {c{u),C{v)i) and (u,U) = {uj,Uj^) with c 
a constructor of type t c — (y : U)C(v), 7 = {y ^ u} 
and j G Acc(c). 

For example, in the definition of app previously 
given, A', x and £ are all accessible in t = 
cons(A',x,£) : (t,list(A)) >i (A',*}, (tJist(A)) >i 
(x,A') and (t,list(A)) >i (£, Zisi(A')). 

Definition 8 (Derived type) Let i be a term of the 
form Zcr with I = /(I) algebraic, r/ = (x : T)C7 and 
7 = {x 1— > Z}. Let p G Pos(l) with p ^ e. The subterm 
i| p of i has a derived type, r{t,p), defined as follows : 

- if p = i then r(t,p) — Tija, 

- if p = iq and q ^ e then r(t,p) — r{U,q). 

Definition 9 (Well-formed rule) Let R = (I — > r, 

F,p) be a rule with Z = /(f), 77 = (x : f)t/ and 
7 = {.x 1— ► Z}. The rule R is well-formed if, for all 
x G dom(r), there is i < a>f and p x G Pos(x,li) such 
that (k,Tij) £>l (x,r(l,ip x )) and r(Z, ip x )p = xL. 

Definition 10 (Computable closure) Let i? = 

(/ r,r ,p) be a rule with I = /(f), r f = (x : f)C/ 
et 7 = {.x 1 ► Z}. The order > on the arguments of / 
is the lexicographic extension of >+. The computable 
closure of R is the relation h c defined by the rules of 
Figure 2. 



Definition 11 (General Schema) A rule (/(/) — ► 
r,T,p) with Tf = (x : T)t/ and 7 = {x 1— ► 1} satisfies 
the General Schema if it is well-formed and r h c r : 
Ujp. 

It is easy to check that the rules for app are well- 
formed and that T \- c cons(A, x, app(A, £, £')) : list(A). 
For example, we show that L h c app(A,£,£') : list(A) : 



r k ★ : □ 



Th c A:* 
T h c list(A) : 



L h c A : * rhj: Zist(A) T h c £' : Zist(A) 
(cons(A',x,£),Zisi(A)) > (£,list(A)) 

rh c ap p(A,e,e') 

3.3 Admissibility conditions 

Definition 12 (Rewrite systems) Let Q be a set of 

symbols. The rewrite system (G,1Zg) is : 
• algebraic if : 



(acc) 
(ax) 

(symb < ) 



Figure 2: Computable closure 

Lo h c xLo : s x € dom s (To) 
T h c x : xL 



r h * : □ 



(symb ) 
(var) 
(weak) 
(prod) 
(abs) 
(app) 
(conv) 



9 e Fl, r g = (y : U)V, 1 = {y ^ u} 
9 <T f £ h c T g : s Vi,T h c Uj : Ujj 
r h c g(u) : V 1 

geri, r g = (y :U)V, 1 = {y^u} 
g = r f r h c T g : s Mi, V h c u, t : 

(W > (u,Ul) 

T h c g(u) : V 1 

T h c T : s x£X s \ FV(l) 
r,x:T h c x : T 

r h c t : t r h c [/ : s x G A" 5 \ FV(/) 
r,x:J7 h c i : T 

rh c T:s T,x:ThU:s' 
rh c (x:T)U : ~s~' 

T,x:Thu:U T h (x:T)U : s 
r h c [x:T]u : (x:T)U 

Tht:{x:U)V T h c u : U 
r h c tu : V{x 1 ^ u} 

Tht:T T i* V Th c T':s' 
Tht-.T' 



- G is made of predicate symbols or of constructors 
of primitive predicates, 

- all rules of IZg have an algebraic right-hand side; 

• non- duplicating if, for all I — > r G 7^g, no variable 
has more occurrences in r than in I; 

• primitive if, for all rule I — > r G 7^g, r is of the 
form [x : T}g(u)v with g belonging to Q or c/ being 
a primitive predicate symbol; 

• simple if, for all g(l) -»r£ : 

- all the symbols occuring in I are free, 

- for all sequence of terms t, at most one rule can 
apply at the top of g(t), 

for all rule g{f) r E Kg and all Y G FV n (r), 



there is a unique ny such that l K 



Y: 



• positive if, for all I 
Pos(g,r) C _Pos + (r); 



r G IZg and all g £ G, 



• recursive if all the rules of IZg satisfy the General 
Schema; 

• safe if, for all (g(l)^r, T, p) £ TZg with r g = (x : T) 
U and 7 = {x i— » 1} : 

- for all X £ FV n (TU), X 1P £ dom n (r), 

- for allX,X'eFV D (TU), Xjp = X'jp => X = X' . 

Definition 13 (Admissible CAC) A CAC is ad- 
missible if : 

(Al) -^=^n U —*p is confluent; 

(A2) its inductive structure is admissible; 

(A3) (VT n ,7l V jrn) is either : 

- primitive, 

- simple and positive, 

- simple and recursive; 

(A4) there is a partition T a W T na of T>T (algebraic 
and non-algebraic symbols) such that : 

- (J-q, 7\LjF a ) is algebraic, non-duplicating and 
strongly normalizing, 

- no symbol of T na occurs in the rules of TZ^ a , 
~ (/noi i s sa ^ e an d recursive. 

The simplicity condition in (A3) extends to the case 
of rewriting the restriction in CIC of strong elimination 
to "small" inductive types, that is, to the types whose 
constructors have no predicate-arguments except the 
parameters of the type. 

The safeness condition in (A4) means that one can- 
not do pattern-matching or equality tests on predicate- 
arguments that are necessary for typing other argu- 
ments. In her extension of HORPO to the Calculus 
of Constructions, Walukiewicz requires similar condi- 
tions [30]. 

The non-duplication condition in (A4) ensures the 
modularity of the strong normalization. Indeed, in 
general, the combination of two strongly normalizing 
rewrite systems is not strongly normalizing. 

Now, for proving (Al), one can use the following 
result of van Oostrom [29] (remember that IZUfl can be 
seen as a CRS [23] ) : the combination of two confluent 
left-linear CRS's having no critical pairs between each 
other is confluent. So, since — *p is confluent and 1Z and 
(3 cannot have critical pairs between each other, if 1Z is 
left-linear and confluent then —*n U — ^ is confluent. 
Therefore, our conditions (SI) to (S5) are very useful 
to eliminate the non-linearities due to typing reasons. 

We can now state our main result. You can find a 
detailed proof in [4]. 

Theorem 14 (Strong normalization) Any admis- 
sible CAC is strongly normalizing. 

The proof is based on Coquand and Gallicr's exten- 
sion to the Calculus of Constructions [9] of Tait and 



Girard's computability predicate technique [19]. As 
explained before, the idea is to define an interpreta- 
tion for each type and to prove that each well-typed 
term belongs to the interpretation of its type. 

The main difficulty is to define an interpretation for 
predicate symbols that is invariant by reduction, a con- 
dition required by the type conversion rule (conv). 

Thanks to the positivity conditions, the interpreta- 
tion of a free predicate symbol can be defined as the 
least fixpoint of a monotone function over the lattice 
of computability predicates. 

For the defined predicate symbols, it depends on the 
kind of system (T>J- D , 1Zdf u ) is- If it is primitive then 
we simply interpret it as the set of strongly normaliz- 
able terms. If it is positive then, thanks to the posi- 
tivity condition, we can interpret it as a least fixpoint. 
Finally, if it is recursive then we can define its inter- 
pretation recursively, the General Schema providing a 
well-founded definition. 

4 Examples 

4.1 Calculus of Inductive Construc- 
tions 

We are going to see that we can apply our strong nor- 
malization theorem to a sub-system of CIC [26] by 
translating it into an admissible CAC. The first com- 
plete proof of strong normalization of CIC (with strong 
elimination) is due to Werner [31] who, in addition, 
considers ^-reductions in the type conversion rule. 

In CIC, one has strictly-positive inductive types and 
the corresponding induction principles. We recall the 
syntax and the typing rules of CIC but, for the sake 
of simplicity, we will restrict our attention to basic in- 
ductive types and non-dependent elimination schemas. 
For a complete presentation, see [4]. 

• Inductive types are denoted by Ind(X : A) {C} 
where the C^'s are the types of the constructors. 
The term A must be of the form (x : A)* and the 
CiS of the form (z : B)Xrh. 

• The i-th constructor of an inductive type / is de- 
noted by Constr(i, I). 

• Recursors are denoted by Elim(I , Q , a, c) where / 
is the inductive type, Q the type of the result, a the 
arguments of / and c a term of type IS. 

The typing rules for these constructions are given in 
Figure 3. The rules for the other constructions are the 
same as for the Calculus of Constructions. 

If d = (z: B)Xm then d{I, Q} denotes (z: B)(i* : 
B{X i ► Q}) Qrh. The reduction relation associated to 
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Figure 3: Typing rules of CIC 
Mi, T, X : A h d : * 

(Ind,) 



(Constr) 



(Nodep* 



r h Ind(X:A){C} : A 

r h 1 = Ind(X:A){C} : A 
r h Constr (i, I) : C l {X ^ 7} 

rhc:/a rhg : (f :l)s 

Vi,rr-/ i: C«{J,Q} 
T h Elim(I,Q,a,c){f} : Qa 



Elim is called L-reduction and is denned as follows : 
£^m(7, Q, a, Constr{i, I') b){f] -» t /, 6 6' 

where, if Ci = (z : B)Xm, then 6^- = Elim(I, Q, a', bj) 
if _Bj = Xa', and 6^ = 6j otherwise. 

Now, we consider the sub-system CIC - obtained by 
applying the following restrictions : 

• In the typing rules (Ind*) and (Constr), we assume 
that r is empty since, in CAC, the types of the 
symbols must be typable in the empty environment. 

• In the rule (Nodep*,*) (the one for weak elimina- 
tion), we require Q to be typable in the empty en- 
vironment. 

• In the rule (Nodep* jD ) (the one for strong elimina- 
tion) , instead of requiring r h Q : (x : A) □ which is 
not possible in the Calculus of Constructions since 
□ is not typable, we require Q to be a closed term 
of the form [x : A]K with K of the form (y : U)*. 

• We assume that every inductive type satisfies (16). 

Theorem 15 CIC~ can be translated into an admis- 
sible CAC, hence is strongly normalizing. 

We define the translation ( ) by induction on the 
size of terms : 

• Let I = Ind(X : A){C}. We define (I) = [x : (A)] 
Indi(x) where Indj is a symbol of type (x: (A))*. 

• By assumption, d = (z : B)Xrh. We define 
{Constr(i, I)) = [z : B]Constr}(z) where Constr} 
is a symbol of type (z : (B))Indi((m)). 

• Let Ti = d{I,Q}. If Q = [x : A]K then we de- 
fine (Elim(I,Q,a,c){f}) = SElim?((f),(a),(c)) 
where SElimf is a symbol of type (/ : (T )) (x : (A)) 
(K). Otherwise, we define (Elim(I,Q,a,c){f}) = 
WEli mi ((Q), (/), (a), (c)) where WElirm is a sym- 
bol of type (Q:(A))(f:{f))(x:(A)) (Q)x. 

• The other terms are defined recursively ((uv) = 

(«>(«>,..•)■ 



The t-reduction is translated by the following rules : 

SElimf (f, a, Constr} (b)) -> b' 
WElirraiQ, f , a, Constr} ($)) b' 

where, if d = {z : B)Xm, then b' 3 = SElimf (f, a', bj) 

(or WElim^QJ,^,^)) if B 3 = Xaf, and b'j = b 3 
otherwise. 

Now, we are left to check the admissibility : 

(Al) — ^ is orthogonal, hence confluent [29]. 

(A2) The inductive structure defined by I <jr J if I is 
a subterm of J, Ind(Indi) — 0, Acc(Constr}) = 
{1, .., | z\} if Ci = (z: B)Xm, is admissible. 

(A3) The rules defining the strong recursors form a 
simple (they arc defined by case on each construc- 
tor and only for small inductive types) and re- 
cursive rewrite system (they satisfy the General 
Schema) . 

(A4) The rules defining the recursors form a safe (ex- 
cept for the constructor, all the arguments are 
distinct variables) and recursive rewrite system 
(they satisfy the General Schema). 

4.2 Natural Deduction Modulo 

NDM for first-order logic [12] can be presented as an 
extension of Natural Deduction with the additional in- 
ference rule : 



rhP 
tTq 



HP = Q 



where = is a congruence relation on propositions. This 
is a powerful extension of first-order logic since both 
higher-order logic and set theory with a comprehension 
symbol can be described in this framework (by using 
explicit substitutions) . 

In [13], Dowek and Werner study the termination of 
cut-elimination in the case where = is induced by a 
confluent and weakly-normalizing rewrite system. In 
particular, they prove the termination in two general 
cases : when the rewrite system is positive and when 
it is quantifier- free. In [14], they provide an example 
of confluent and weakly normalizing rewrite system for 
which cut-elimination is not terminating. The problem 
comes from the fact that the elimination rule for V 
introduces a substitution : 

r h Vx.P(x) 
r h p(t) 

Thus, when a predicate symbol is defined by a rule 
whose right-hand side contains quantifiers, its combi- 
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nation with (3 may not preserve normalization. There- 
fore, a criterion for higher-order rewriting is needed. 

Since NDM is a CAC (we can define the logical con- 
nectors as inductive types), we can compare in more 
details the conditions of [13] with our conditions. 

(Al) In [13], only — is required to be confluent. In 
general, this is not sufficient for having the con- 
fluence of — ^ U — >/3. However, if TZ is left-linear 
then — U — >/3 is confluent [29]. 

(A2) NDM types are primitive and form an admissi- 
ble inductive structure if we take them equivalent 
in the relation <jr. 

(A3) In [13], the termination of cut-elimination is 
proved in two general cases : when (T>T a , TZx>F a ) 
is quantifier-free and when it is positive. 
Quantifier-free rewrite systems are primitive. So, 
in this case, (A3) is satisfied. In the positive case, 
we require that left-hand sides are made of free 
symbols and that at most one rule can apply at 
the top of a term. On the other hand, we pro- 
vide a new case : (VT , TZx>F a ) can be simple 
and recursive. 

(A4) Quantifier-free rules are algebraic and rules with 
quantifiers arc not. In [13], these two kinds of 
rules are treated in the same way but the counter- 
example given in [14] shows that they should not. 
In CAC, we require that the rules with quantifiers 
satisfy the General Schema. 

Theorem 16 A NDM system satisfying (Al), (A3) 
and (A4) is admissible, hence strongly normalizing. 

4.3 CIC + Rewriting 

As a combination of the two previous applications, our 
work shows that the extension of CIC~ with user- 
defined rewrite rules, even at the predicate-level, is 
sound if these rules follow our admissibility conditions. 

As an example, we consider simplification rules on 
propositions that are not definable in CIC. Assume 
that we have the symbols V :*—>*—> *, A :*—>*—> *, 
-< _L :★, T : and the rules : 

TVP ^ T 1AF ^ 1 ->T — > _L 
PVT ^ T PA1 ^ 1 -n_L ^ T 

-n(PAQ)^-PV-Q -n(PVQ)^-PA-Q 

The predicate constructors V, A, . . . are all primitive. 
The rewrite system is primitive, algebraic, strongly 
normalizing and confluent (this can be automatically 
proved by CiME [16]). Since it is left-linear, its combi- 
nation with — is confluent [29]. Therefore, it is an ad- 
missible CAC. But it lacks many other rules [20] which 



requires rewriting modulo associativity and commuta- 
tivity, an extension we leave for future work. 

5 Conclusion 

We have defined an extension of the Calculus of Con- 
structions by functions and predicates defined with 
rewrite rules. The main contributions of our work are 
the following : 

• We consider a general notion of rewriting at the 
predicate-level which generalizes the "strong elimi- 
nation" of the Calculus of Inductive Constructions 
[26, 31]. For example, we can define simplification 
rules on propositions that are not definable in CIC. 

• We consider general syntactic conditions, including 
confluence, that ensure the strong normalization of 
the calculus. In particular, these conditions are ful- 
filled by two important systems : a sub-system of 
the Calculus of Inductive Constructions which is the 
basis of the proof assistant Coq [17], and the Natu- 
ral Deduction Modulo [12, 13] a large class of equa- 
tional theories. 

• We use a more general notion of constructor which 
allows pattern-matching on defined symbols and 
equations among constructors. 

• We relax the usual conditions on rewrite rules for 
ensuring the subject reduction property. By this 
way, we can eliminate some non-linearities in left- 
hand sides of rules and ease the confluence proof. 

6 Directions for future work 

• In our conditions, we assume that the predicate 
symbols defined by rewrite rules containing quan- 
tifiers ("non-primitive" predicate symbols) are de- 
fined by pattern-matching on free symbols only 
("simple" systems). It would be nice to be able 
to relax this condition. 

• Another important assumption is that the reduc- 
tion relation -^=^n U — must be confluent. We 
will try to find sufficient conditions on TZ in order 
to get the confluence of —>-n U — In the simply- 
typed A-calculus, if TZ is a first-order rewrite system 
then the confluence of TZ is a sufficient condition [7] . 
But few results are known in the case of a richer type 
system or of higher-order rewriting. 

• Finally, we expect to extend this work with rewrit- 
ing modulo some useful equational theories like as- 
sociativity and commutativity, and also by allowing 
77-reductions in the type conversion rule. 
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